EggXpert

The official Newegg tech support community and Newegg tech support forums. Learn about PC building, case mods, computer repairs, and computer troubleshooting. Get help from knowledgable community members about computer hardware and computer software, laptops, notebooks, netbooks, consumer electronics & mp3 players, home networking, lcd TVs, home audio and more.
Welcome to eggXpert.com. Sign in | Join | Help
in Search
Advanced Search
Home Forums Chat Blogs Deals Newsletter About

Capt. Insane

The cleverness of email phishers

I've been noticing lately a big increase in spam in one of my Gmail accounts. It's understandable since I use this address for things that would probably garner high volumes of spam (use your imagination). When I go to delete my junk email folder, I skim the emails in sight to see if a legit one got tossed there by accident (so far, none have. Go Gmail!). I see a lot of emails where the sender is "me;" I know I didn't send these, but what about other people? Many of these include subjects such as "re: order number [enter random number]" or something about jobs.

I find it interesting that spam email is evolving and growing more intelligent. I guess in the scheme of things this is understandable, but I'm sick of it. Hackers, phishers, spammers, etc need to get a life. It's bull that they spend their time trying to steal people's money and identity instead of getting a real job. I can't stand people like that. And most of the victims are those who don't know any better because they're not very internet-savvy, and then they get taken advantage of. You might say "Well, it's their own dumb fault," but in many cases it isn't.

To my knowledge, there aren't classes that educate people about this sort of thing, and some people don't have the common sense to not click on such emails. It's like the AIM/Facebook scams that come from a friend, trying to get you to click on a link. Well, not everyone will know that this is a virus and by clicking on it they're harming their computer.

Because all of this is so new to most people, there needs to be more to protect the average internet user. I'm not talking about restricting or filtering the internet or anything like it. I'm talking education and awareness. I think most branded computers come with some sort of anti-virus software, and many ISPs provide AV software, but most of it is either a trial or of poor quality, and most people won't want to spend money on a product they don't think they need.

Sure, there are people out there--like blackhats turned good (white? don't really like the whole color connotation)--who are working to help fix massive flaws in the internet. However, even more people are looking for and making ways to exploit flaws. I recently read an article on wired.com about a hacker who was helping companies protect their networks, and then turned around and exploited them: he actually created backdoors in the patch he was making. Afterwards, he took over carder sites (websites that sell ill-gotten identities and credit card numbers) to control this whole illegal segment of the internet. He never profitted from it, but it brings up the whole "awareness" them again. These sites are there because people are careless and are having their identity stolen. Again, you could say it's their own dumb fault, and sometimes it is, but not always. Many times this happens without the victim doing anything wrong; simply buying dinner at a restaurant can lead to stolen credit card numbers.

It's not, however, the identity theft that concerns me; most banks offer some sort of protection against this, even for the lowest-level bank accounts. I'm more concerned about people having their computers taken over by hackers and having important information deleted: family photos, blogs, creative writing pieces. (But of course, identity information is also thrown into here.) I would imagine that more than 65% of people don't create backups of their data; not because they're too lazy, but because they don't think they need to or know they should.

This all connects into how clevier phishers are getting. Email provers like Gmail do have good spam filters, but what about the ones that don't? And what happens if people click on these emails any way (again, their own dumb fault, perhaps, but that's besides the point)? I think something needs to be done about this. There needs to be more to educate the masses about internet safety, and there needs to be stricter cyberspace laws. Of course, the latter is close to irrelevency since most people don't get caught for minor phishing scams. If a person phyically steals something from someone, the police will investigate and attempt to imprison the robber (you can also view this with property damage and any number of other crimes). But if it happens online? Well, there's a tracability issue, and it's harder to track these people down to prosecute them. It appears as though the FBI is the primary law enforcement agency of the internet, but they also don't appear to care about smaller issues; they want the big crimes: millions of dollars stolen, all of Google's databases deleted (never happened, but you know what I'm getting at). Why is the internet any different from reality? Neighbor kills your dog, steals a hundred bucks from you, it gets reported, and police move to action. But a hacker breaks into your computer and completely wipes clean your hard drive and you've got no recourse.

I just answered part of this problem. What happens if a hacker breaks into your computer and deletes all your files? Apart from (possibly) crying, what do you do? Call the police? Call the FBI? I don't know, and I'm very proficient with computers. There might be something out there, and I don't know about it. If it's there, it's not advertised at all, and I've never seen anything like that posted here on EggXpert. Though, I've also not seen anything about identity theft or someone's computer being hacked into (have seen virus, issues, though). That leads me to believe that there is nothing like that out there, no Cyber Police. It should be there, and it should be oublicly known about. Clearly, right now it'd be hard to form up something like this due to the econmy, but something needs to be done. These b******s need catching and punishing.

Published Monday, January 12, 2009 2:16 PM by Capt. Insane

Comments

 

Blog Picks said:

The Cleverness of Email Phishers Read all about one of our members thoughts about Email phishers. Created

January 13, 2009 3:32 PM
 

Drinksabit said:

One could start with their states' Atty. Gen., not that they are likely to do anything.  But, hey, it's a place for someone to start. It is my opinion that if they get enough complaints from their own state, they just might look into it... mabye not.  Of course a large campaign contribution ... oh, I'm not going to finish that thought.

January 14, 2009 2:10 PM
 

Gametech said:

Well part of the issue is that American Law (and most others for that matter) requires a lot of time to adapt itself to new circumstances. Most of the systems setup in our country have been in place for at least a hundred years. There have been police and courthouses since there were towns in America thus we have a system that works decently (as in your example). The internet has gone from non-exsistant to a world-wide phenomenon in like what? 25 years? less?

Not to say this is an excuse but it definitly serves as evidence that our lawmakers and enforcers are simply running to catch up to the problems found in cyber space today. The internet is much like an undiscovered country right now, all kinds of people are exploring and exploiting it for different reasons but there's nothing to keep them from being attacked, or attacking someone else without recourse.

I will say that I believe the first course of action from the authorities would be to have a better way of monitoring the internet. Currently, there's nothing they really can do to tell if you've been hacked other than what you tell them, that's like you saying someone stole your thoughts, there's not really any way they can monitor what was taken vs. what may not have been there in the first place. Thus without evidence many of our current law enforcement measures don't hold up.

Like you said if you had backed up the data, maybe something could be done, but again I compare it to settlers colonizing a new world, most internet users are like pilgims in a canoe, no protection, no tools or knowledge of what's out there. Sure some of us have knowledge and tools but still get raided by indians...the point is without a governing authority in this new world whomever has the sharpest wit will prevale.

January 15, 2009 12:13 PM
 

daniel88c said:

Personally, I think that it will and continue to happen.

That's almost like saying the police is going to stop organized crime. Ha!

January 16, 2009 6:14 AM
 

Rangertech724 said:

Not sure how familar you all are with forensic tools on the computer, but I can tell if somthing was there and when it was taken. I can even tell if you tried to delete somthing and find it in the hard drive after you think you have deleted it. One of the simple tools used is FTK. Google it you will be surprised what is there when most people think somthing is gone. As for real time monitoring this is impossible, simple too much traffic and too many packets to sift through for real time who is doing what type of information.

 To some extent you can also tell what information was on a drive, but that can be tweaked with by an experienced intruder with good tech skills.

January 29, 2009 10:52 AM
 

PapaHomer said:

Hey Capt

"I feel your pain".  I have a Yahoo and a Gmail acct.  I seem to get more spam/phishing emails on Yahoo...but their spam filter is pretty good.  I'm thinking that they probably prevent a lot more.  

At one time I would forward emails with headers to the spammer's ISP, attorney general, uce@ftc.gov, etc.   However, that worked well..."not so much".  I think I actually started getting more.

Lately I have noticed more of the phishing and less of the spam.  The phishing emails have all of the graphics and the look of something official.   Two tips that I would give to anybody are:

1) If it seems suspicious and/or unsolicited, trust your gut.

2) If you mouse over (do not click) the links in the email and the real URL that shows up is some IP address or any address other than the company you have proof.

I have forwarded the phishing emails to the banks and financial institutions they were posing as.   Most legitimate sites have addresses where you can report phishing to.

abuse@chase, etc

Peace...PH

January 31, 2009 3:00 PM
 

Fizzter said:

Your thoughts are on the right track.  I have worked in the email security space and seen the millions of emails that get sent to companies and some of the ever-evolving tactics.

One of my particular favorites from back in the day was a money making attempt based on stocks.  (They're all based on money.. money drives everything).  The spammers send out millions of emails telling people to buy a certain stock.  Maybe 1% of those people bite, and this temporarily drives up the popularity and price.  The spammers sell for profit.

The problem is out there, and even with ever-evolving filters and software, it isn't going away.  The AV-software paradigm is a falacy itself, doomed to failure.  The proper long-term protection should be proper education and use, perhaps in combination with behavioral technology rather than signature based.  It goes along the same lines as abstinance-only teaching in schools, but I dare not get into that shenanigan...

Right now, the education isn't there, and shoddy AV products and mail filters are the best we can do.  Teaching this to kids in schools isn't going to work yet, either, because the people running those schools typically don't have the knowledge to realize they have this large gap.

A general tip for email--don't click on links.  Always go directly to the site yourself.  If you're unsure whether or not the site is the "real deal", log in with a fake username/password first.  The real site will deny it, but a fake site will take it as harvested data.

The general rule is that if your AV product is catching stuff, then you aren't using the computer properly, and you're probably already infected. :)

Good luck!

February 10, 2009 5:39 AM
 

Allen750 said:

Well, I create a filter in Gmail with my own signature as the special rule and everything else goes to the crapper.

February 14, 2009 5:02 PM
Anonymous comments are disabled

This Blog

Syndication

Tags

No tags have been created or used yet.

 Home   Forums   Chat   Blogs   Deals   Newsletter   About 

 FAQ   Terms of Use   Privacy Policy   Contact Us 

©2009 Newegg, Inc. All rights reserved.